Rule documentation

Learn everything about our rules, and how to leverage them drive absolute quality in your development team.

Lorenzo Frattini avatar Gabriele Gallo Stampino avatar
78 articles in this collection
Written by Lorenzo Frattini and Gabriele Gallo Stampino
Security best practices

Passwords set programmatically

Detect instances in which users password are programmatically set.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Flow Access Restriction

Detect Flows without any access restriction (either by a profile nor by a permission set).
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Email spamming risk

Detect instances in which is possible to send emails without any control, straight invokable from end users.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Insecure sharing to external users

Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Server-side Payload Injection

Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

User Registration Without Limits

Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

LWC Clickjacking on CSS

Detect components that are vulnerable to Clickjacking.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Import of sensitive fields in Lightning Web Components (LWC)

Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Direct DOM manipulation in Lightning Web Components (LWC)

Detect LWC templates that use direct DOM manipulation and bypass the secure Shadow DOM provided by the Lightning Web Components
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Sensitive information storage

Detect when sensitive information like tokens, secrets are stored insecurely.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Sensitive information logging

Inspect the data model definition, and ensure sensitive information isn’t logged or exposed unsafely to avoid data leaks.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Excessive data access permissions

Detects the use of "ViewAllData" and "ViewAllRecords" in profiles.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Subresource integrity

Detect subresource integrity vulnerabilities.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Content Security Policy (CSP)

Make sure that resources used by Visualforce or Lightning components are retrieved securely in accordance to your Content Security Policy.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Insecure endpoints

Ensure HTTP callouts use secured endpoints (HTTPS) to protect your application and users from attack.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Named credentials

Enforce using named credentials instead of manually hard-wiring credentials when performing HTTP requests.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Randomization of cryptographic keys

Detect uses of cryptography with hard-wired keys, so that the security of encrypted data is not compromised.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago
Coding best practices

Call to blocklisted method

Detects any call to a method that is part of a block list.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Identify methods with global visibility

Detects methods that can be referenced from outside a managed package.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Asynchronous methods in loops

Prevent the use of asynchronous Apex methods (@future) inside loops, to help your application cope with larger volumes of data properly.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Boundaries on SOQL statements

Ensure all SOQL statements are either bound by either a LIMIT or by a WHERE clause.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Bulkification of triggers

Ensure your Apex triggers can process data in bulks and properly deal with larger volumes.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Business logic in triggers

Detect the presence of non-trivial business logic inside Apex triggers.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Metadata API recency

Ensure your components are up to date with a recent enough version of the Salesforce API.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Multiple triggers per object

Detect multiple triggers on the same object, and prevent non-deterministic behaviours.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Nested IFs

Keep your code easy to read and test by containing the use of nested conditional structures.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Number of arguments per method

Limit the number of arguments allowed for each method to keep your code easy to read and maintain.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Number of methods per class

Limit the number of methods allow per each Apex class, to encourage good design.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Send email in loops

Prevent uses of Messaging.sendEmail inside loops, to reduce the risk of running into governor limits.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago
Database operations

Non-selective SOQL queries on large objects

Detect potentially slow queries when working with large objects.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Direct access utility class

Detects any direct usage of SOQL in Apex classes.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

Data manipulation utility class

Detects any direct usage of DML methods in Apex Classes.
Gabriele Gallo Stampino avatar
Written by Gabriele Gallo Stampino
Updated over a week ago

CRUD and Field-Level Security

Ensure that CRUD permissions and Field-Level Security are enforced in Visualforce and Lightning, to avoid exposing sensitive data.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Data access in loops

Prevent the use of any SOQL or DML inside loops to help your application cope with larger volumes of data properly.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Data manipulation in constructors

Prevent all constructors from writing in to the database, so that creation of objects does not have any data-altering side-effects.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Exception handling

Enforce the presence of a try/catch block to handle possible exceptions around DML statements.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Sharing

Ensure proper sharing behaviour on classes that access data or expose it data in views or APIs.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago

Transaction control

Enforce the use of transaction control (savepoints and rollbacks) when multiple database operations are performed within the same block.
Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago